From 04edb7f04bc181c8149ebd4fee2a5bc9815a42f8 Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@sunet.se>
Date: Fri, 7 Jun 2019 15:28:49 +0200
Subject: update notes with new design criterias

add (some) PKCS #11 specs
---
 doc/pkcs11-base-v2.40-os.pdf | Bin 0 -> 1040993 bytes
 doc/pkcs11-curr-v2.40.pdf    | Bin 0 -> 2081878 bytes
 p11proxy.md                  |  79 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 doc/pkcs11-base-v2.40-os.pdf
 create mode 100644 doc/pkcs11-curr-v2.40.pdf
 create mode 100644 p11proxy.md

diff --git a/doc/pkcs11-base-v2.40-os.pdf b/doc/pkcs11-base-v2.40-os.pdf
new file mode 100644
index 0000000..bd8573b
Binary files /dev/null and b/doc/pkcs11-base-v2.40-os.pdf differ
diff --git a/doc/pkcs11-curr-v2.40.pdf b/doc/pkcs11-curr-v2.40.pdf
new file mode 100644
index 0000000..bde1d24
Binary files /dev/null and b/doc/pkcs11-curr-v2.40.pdf differ
diff --git a/p11proxy.md b/p11proxy.md
new file mode 100644
index 0000000..cf291b6
--- /dev/null
+++ b/p11proxy.md
@@ -0,0 +1,79 @@
+# p11p -- PKCS #11 proxy performing failover and load balancing
+
+p11p is a shared library and a daemon, both running on the same host
+as a Cryptoki application, intercepting the communication with a
+cryptographic device (typically a HSM) with the goal of dealing with
+error handling and load balancing between devices.
+
+ASCII art time!
+
+    +------------------------------------=--------------+
+	| PC/server/laptop                                  |
+	|                                                   |
+	| +----------------------------+                    |
+	| | application (process)      |  +---------------+ |
+	| |                            |  | p11pd         | |
+	| | +------------------------+ |  |               | |
+	| | | p11p-client.so (solib) |--->| +-----------+ | |
+	| | +------------------------+ |  | | vendor.so | | |
+	| +----------------------------+  | +-----------+ | |
+	|                                 +------|------- + |
+	+----------------------------------------|----------+
+                                             v
+                                           +-----+
+                                           | HSM |
+                                           +-----+
+
+## Goals
+
+* Detect when a Cryptoki library operation fails and retry the
+  operation, possibly on another cryptographic device.
+
+* Provide failover and load balancing between cryptographic devices.
+
+* Put some ground between a Cryptoki application and a Cryptoki
+  library.
+
+## Non-goals
+
+* Take control over the TCP session between a Cryptoki application and
+  a cryptographic device.
+
+  Could be accomplished by providing proxying / forwarding of PKCS #11
+  sessions to a system with access to a PKCS #11 aware cryptographic
+  device.
+
+## Functionality
+
+
+
+## Inspiration
+
+- [p11-kit https://github.com/p11-glue/p11-kit/]
+
+## Specification
+
+
+
+### PKCS #11
+
+#### Supported mechanisms
+
+TBD
+
+## Use cases
+
+- Migrating from one kind of HSM to another kind of HSM.
+
+
+## NOTES
+
+- apt install p11-kit libp11-dev
+
+## External dependencies
+
+TBD
+
+## External documentation
+
+- [OASIS PKCS 11 TC](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11)
-- 
cgit v1.1